Documentos de Académico
Documentos de Profesional
Documentos de Cultura
MR 1 Allocation of Information Security responsibilities are outlined Information Security Manager Job Description and
A.6.1.3 Allocation of information security responsibilities Complete Information Security Manager in place. InfoSec Mgr.
MR 6 in the Statement of Applicability. responsibilities.
Authorisation will be from head of Corporate Planning and Intelligence Head of Corporate
A.6.1.4 Authorisation process for information MR 8 Complete Change management process and sign off by Head of CPI
Directorate and LT authorisation if applicable. Planning & Intelligence
Confirm with all Directorates that they have either their own
Employees required to adhere to confidentially requirements through
MR 9 document or abide by the contract and terms of reference
published policies.
A.6.1.5 Confidentiality agreements MR 10 Complete InfoSec Mgr. offered to the third party.
Confidentiality is standard clause for all company employees within their
MR 11 Documents will need to be entered into the CDC - not
employment contract and third party agreements.
currently catalogued properly.
a. iNetworks Knowledge Hub and NWARP (North West Warning, Advice and
Ensure that the ISM attends these quarterly meetings and
A.6.1.7 Contact with special interest groups Complete Reporting Point). InfoSec Mgr.
pursues contact with other Fire Services.
b. Regular communications with fire services and NWFC collaboration project.
Security consultancy - ECSC - review Jan 2012 and Aristi May 2013.
Regular, on-going audits with Wigan Council Internal Audit
A.6.1.8 Independent review of information security MR 8 Complete Recent vulnerability test took place on the internal network, wireless network InfoSec Mgr.
Department and Audit Commission.
and Mobile Data Terminals.
a. Risks relating to third parties are to be added to the Risk Assessment Risk Each Directorate - On-going - Risk assessments to be undertaken and
A.6.2.1 Identification of risks related to external parties MR 11 Partial Register & Potential New Risks to be raised. Directorate Risk Register
b. Ensure that a list of external parties is kept up-to-date. SIRO - Produce a list of all external parties and review regularly
A.6.2.3 Addressing security in third party agreements MR 11 Complete Confidentiality and DPA is covered in standard contracts Service Solicitor Service Solicitor will keep this process up-to-date. Where is this recorded ?
A.7.1.3 Acceptable use of assets MR 3 Complete Acceptable Use Policy InfoSec Manager Keep policy up-to-date on yearly review process. Acceptable Use Policy
All employees are screened for references, medical status, and where
MR 13 People & Organisational HR document / policy review process. To be included in the
A.8.1.2 Screening Complete appropriate CRB.
MR 14 Development Corporate Document Centre.
Agency contract staff are not screened internally.
Line Manager is responsible for retrieving assets from leaver, as recorded in People & Organisational These should be kept up-to-date in the ICT SupportWorks
A.8.3.2 Return of assets Complete
Asset Register. Development / ICT system.
ICT Service Desk and Infrastructure team action account disabling and
A.8.3.3 Removal of access rights Complete ICT Documented procedures needed
archiving for leavers.
A.9 PHYSICAL AND ENVIRONMENTAL SECURITY
A.9.1 Secure areas
Finance and Technical - CCTV procedures needed.
A.9.1.1 Physical security perimeter MR 18 Complete Perimeter is protected by gates, CCTV, and 24hr security guard on reception.
Services - Site Security audit to be completed
Visitors are required to sign in. Staff and visitors have badges. Fobs required Finance and Technical
A.9.1.2 Physical entry controls MR 18 Complete Documentation / Procedures needed
for access to specific areas. Services
Data Centre has restricted access, and protection against fire, smoke and
A.9.2.1 Equipment siting and protection MR 17 Complete ICT Documentation / Procedures needed
unauthorised access. Visitors to data centre must also sign-in.
A.9.2.2 Supporting utilities Complete Data Centre supported by UPS and cooling services. ICT Documentation / Procedures needed
Equipment list should be held by the Estates Dept and the ICT Service Desk.
A.9.2.4 Equipment maintenance Partial This will be the asset register. All maintenance schedule should be held by ICT Documentation / Procedures needed
these departments.
A.9.2.5 Security of equipment off- premises MR 9 Partial ################################################################ ICT Documentation / Procedures needed
- If PCs are to be disposed or sold to third party reseller, ICT format all PC HDs PCs and Laptops are under this process. Printers and MFDs
with BLANCO - government specification formatting application. (Multi Function Devices) are under a contract with RICHO.
A.9.2.6 Secure disposal or re- use of equipment MR 9 Partial ICT
- Contract for the disposal company is up for renewal, this has yet to be signed Mobile phones need to be included in this clause. CCTV
off (Sept 13) procedures to be identified.
RFC process managed by ICT Service Desk Manager (Change Manager) and CAB
All project that have an ICT involvement should follow this
A.10.1.2 Change management MR 8 Partial meetings. ICT
process, but it is not currently the way
Not all changes are included in process – see Risk Assessment
ICT staff have designated roles. Access privileges are assigned dependent upon People & Organisational Refer to the job descriptions and role requirements and
A.10.1.4 Separation of development, test and operational facilities MR 8 Partial
their job requirements. Development / ICT departmental operating procedures.
Regular Reports and service reviews for critical suppliers, including C&W,
A.10.2.2 Monitoring and review of third party services MR 11 Complete ICT Documentation / Procedures needed
Daisy.
A.10.3.2 System acceptance MR 8 Incomplete No formal Post Implementation Review (PIR) process in place. ICT Implement a Post Implementation Review
Information Security Policies are in-place but the technical controls need to be
A.10.7.3 Network controls MR 8 Partial ICT Procedures needed for administering network access controls.
reviewed
Corporate Planning and Information Management Strategy has been produced and the
A.10.7.4 Security of network services MR 7 Incomplete Document Management System is in development
Intelligence Dir. document management project is underway.
A.10.8 Exchanges of information
Data Sharing Group set-up. No central repository of data sharing agreements Data Sharing Group / The group meets every two months and TOR and minutes
A.10.8.1 Information exchange policies and procedures MR 9 Partial has been produced. Information Security produced. The ISM is in the process of producing a GMFRS
Partnership Agreements are being implemented. Manager Data Sharing Agreement.
Central repository of agreements needed as they are currently held within the Corporate Planning and Organise the collation of all data sharing agreement needed
A.10.8.2 Exchange agreements MR 9 Partial
directorate that signs the agreement. Intelligence Dir. within the CDC
A.10.8.4 Electronic messaging MR 7 Partial Acceptable Use Policy is in-place but technical controls need reviewing. ICT ISM to advise ICT on appropriate technical controls.
Policy on connection with partners including Wigan MBC and NW RCC, not yet Confirmation of the systems required before we can confirm
A.10.8.5 Business information systems MR 9 Incomplete ICT
defined. any contracts for SLAs in-place. ICT to supply the information.
MR 9
A.10.10.3 Protection of log information Complete Access to Log Rhythm system is restricted to authorised users. ICT Procedures needed.
(GPG 13)
MR 9
A.10.10.4 Administrator and operator logs Complete Admin and operator access is included in Windows event logs. ICT Procedures needed.
(GPG 13)
MR 9 User and system fault reports and Service Desk actions are recording in
A.10.10.5 Fault logging Complete ICT Procedures needed.
(GPG 13) Support Works.
Information Security
A.11.1.1 Access control policy MR 10 Complete Access Control Policy produced. Access Control Policy
Manager
Users are assigned departmental shares via Group Membership and deployed
MR 9 People & Organisational
A.11.2.2 Privilege management Complete via login script. Additional share access is managed through ACLs and Groups, Documentation / Procedures needed
MR 10 Development / ICT
which are added to user as authorised by share owner.
MR 9 Information Security
A.11.2.3 User password management Complete Password Guidance document. Password Guidance
MR 10 Manager
Clear Desk and Screen Policy. 10 minute screensaver enforced by AD Group Information Security
A.11.3.2 Unattended user equipment MR 10 Complete New staff are advised of policies in the induction process
Policy. Manager
MR 7 Information Security
A.11.3.3 Clear desk and clear screen policy Complete Clear Desk and Screen Policy. Awareness training needs to be implemented.
MR 10 Manager
A.11.4 11.4 Network access control
MR 7 Access control policy documented. ICT have process for assigning access
A.11.4.1 Policy on use of network services Complete ICT Access Control Policy
MR 9 privileges and recorded in the SupportWorks system.
1. External users over the internet have VPN access with Vasco 2-factor Administration documentation needed and yearly review
A.11.4.2 User authentication for external connections MR 9 Complete ICT
authentication. schedule needed.
1. Internal wired network has Network Access Control (ForeScout) for device
identification or authentication. Administration documentation needed and yearly review
A.11.4.3 Equipment identification in the network MR 9 Complete ICT
2. Internal wireless networks are restricted by MAC address authentication, schedule needed.
WPA2/PSK security.
Network Access Control system needs to be fully implemented
A.11.4.4 Remote diagnostic and configuration port protection MR 9 Complete All network devices in secure comms rooms. ICT
and reports to be reviewed regularly.
A.11.4.5 Segregation in networks MR 9 Complete Networks are segmented through routers and layer3 switches. ICT
All routing managed by internal team for local and wide area networks. Intrinsic (third party) SLA and Documentation needed … to be
A.11.4.7 Network routing control MR 9 Complete ICT
Connection to the internet managed by third party under SLA. entered into the CDC.
This is in-place but it may be advisable to set the lock out procedure - Three
A.11.5.3 Password management system MR 9 Complete ICT Advse ICT on the reasoning for the lock out process.
wrong passwords and lock out for 5 mins
Where raised, RFCs include requirement to specify security controls. Change Management process needs to be properly
A.12.1.1 Security requirements analysis and specification MR 16 Partial ICT
Many changes are implemented without RFCs. implemented within the organisation.
A.12.2 Correct processing in applications
A.12.2.1 Input data validation Incomplete text to be completed ... ICT
A.12.2.2 Control on internal processing Incomplete text to be completed ... ICT
A.12.2.3 Message integrity Incomplete text to be completed ... ICT
A.12.2.4 Output data validation Incomplete text to be completed ... ICT
A.12.3 Cryptographic controls
MR 9
A.12.3.2 Key management Partial Key management is in-place but needs to be documented ICT Documentation of procedures needed.
(HMG IAS 4)
A.12.4 Security of system files
A.12.4.1 Control of operational software MR 9 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.4.2 Protection of system MR 9 incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.4.3 Access control to program source code MR 9 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5 Security in development and support processes
Formal RFC and CAB process managed through SupportWorks.
A.12.5.1 Change control procedures MR 8 Partial ICT Review of controls and documentation needed.
Not enforced for all changes.
A.12.5.2 Technical review of applications after operating system changes MR 8 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5.3 Restrictions on changes to software packages MR 8 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5.4 Information leakage MR 7 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5.5 Outsourced software development MR 9 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.6 Technical vulnerability management
Desktops and laptops are managed for Microsoft updates via WSUS.
A.12.6.1 Control of technical vulnerabilities MR 8 Partial Servers are only patched at installation, to prevent conflict with applications. ICT A patch management solution and policy to be introduced
Non-Microsoft product patches are only updated when upgraded.
Incident Policy. Incidents are recorded in Secure Works, for ICT events. Other
Information Security Progress Information Security awareness within the
A.13.1.2 Reporting security weaknesses MR 12 Partial security incidents not recorded. No definitive categorisation of events for ISM.
Manager organisation.
Reported to Head of CPI at weekly meeting and to CLT and LT.
Information Security
A.13.2.2 Learning from information security incidents MR 12 Partial Not fully implemented. Information Security Group needs to be set-up Set-up the Information Security group
Manager
Information Security
A.13.2.3 Collection of evidence MR 12 Complete Follow procedures as set-up in the policy and CESG guidance (HMG SPF) HMG SPF guidance on security incidents to be implemented.
Manager
A.14 BUSINESS CONTINUITY MANAGEMENT
A.14.1 Information security aspects of business continuity management
Including information security in the business continuity management Information Security The ISM is responsible for communicating information security
A.14.1.1 MR 4 Complete Business Continuity management group co-ordinates Directorate Level BCPs.
process Manager issues with the Business Continuity Group.
Each BCP has Business Impact Analysis to determine prioritisation for recovery Business Continuity The ISM is responsible for communicating information security
A.14.1.2 Business continuity and risk assessment MR 4 Complete
of services with each Directorate. Group issues with the Business Continuity Group.
Developing and implementing continuity plans including information Business Continuity Plans implemented for each Directorate. ICT Continuity Information Security The ISM is responsible for communicating information security
A.14.1.3 MR 4 Complete
security Plan includes BCP site at Stretford. Manager issues with the Business Continuity Group.
All Directorates complete BCP plans as part of the whole BCP for the Authority. Business Continuity The ISM is responsible for communicating information security
A.14.1.4 Business continuity planning framework MR 4 Complete
BCP Review meetings held to co-ordinate plans and testing. Group issues with the Business Continuity Group.
Desktop testing of departmental tests, reviewed regularly. Business Continuity ICT are due to go through testing on the BCS at Stretford S10
A.14.1.5 Testing, maintaining and re-assessing business continuity plans MR 4 Partial
Testing of BCP site not yet complete. Group by the end of 2013.
A.15 BUSINESS CONTINUITY MANAGEMENT
A.15.1 Compliance with legal requirements
MR 6 IPR and copyright is maintained through contracts with third parties, in T&Cs Deputy Clerk / Authority
A.15.1.2 Intellectual property rights (IPR) Complete
(HMG IAS 5) of employment, and through control of installed software. Solicitor
MR 6 Important HR and legal documents are kept under strict access control. Corporate Planning and
A.15.1.3 Protection of organisational records Partial ###################################################
(HMG IAS 5) Contracts may be held by departments, with no centralised record. Intelligence Dir.
MR 6 Information Security
A.15.1.5 Prevention of misuse of information processing facilities Complete Acceptable Use Policy Acceptable Use Policy
(HMG IAS 5) Manager
Change management process is in-place but no evidence that this is followed The Change Management Board needs to be reintroduced to
A.15.3.1 Information systems audit controls MR 5 Partial ICT
as per ITIL recommendations. the organisation.
Active Directory access controls are used and procedures for requesting access
A.15.3.2 Protection of information systems audit tools MR 5 Complete ICT Review schedule needs to be implemented.
is through the ICT SupportWorks Help Desk system
GLOSSARY
39 Partial ISM Information Security Manager
71 Complete CLT Corporate Leadership Team
21 Incomplete ICT Information & Communications Technology
2 N/A HIKM Head of Intelligence & Knowledge Management
CPI Corporate Planning and Intelligence Directorate
133 Control Total RM Risk Manager
DC Deputy Clerk and Authority Solicitor
POD People and Organisational Development
BCG Business Continuity Group.